VPN via openconnect-sso (Docker)

This guide describes how to connect to a Cisco AnyConnect-compatible VPN using openconnect-sso running inside a Docker container, with automatic DNS configuration on connect. It is assumed the WM / compositor of the client is Wayland.

Prerequisites

• Docker installed and running
• doas configured
• The openconnect-sso Docker image built (see below)
• A VPN-specific resolv.conf saved at ~/.local/resolv.conf

If you don't know the DNS for resolv.conf, you can remove that part and connect via IP(s) directly, not DNS.

Building the Docker image

Save the following as Dockerfile.openconnect-sso:

FROM python:3.11-slim

RUN apt-get update && \
    apt-get install -y \
      openconnect \
      sudo \
      libqt6gui6 \
      libqt6widgets6 \
      libqt6webenginecore6 \
      libqt6webenginewidgets6 \
      qt6-wayland \
      libgl1 \
      libxkbcommon0 \
      libdbus-1-3 \
      libegl1 \
      libnss3 \
      libnspr4 \
      libxcomposite1 \
      libxdamage1 \
      libxrandr2 \
      libxtst6 \
      libxslt1.1 \
      libglib2.0-0 \
      libasound2 \
      libxcursor1 \
      fonts-liberation && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*

RUN pip install --no-cache-dir openconnect-sso

RUN useradd -m -s /bin/bash vpnuser && \
    echo "vpnuser ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers

USER vpnuser
WORKDIR /home/vpnuser

ENV QT_QPA_PLATFORM=wayland
ENV XDG_RUNTIME_DIR=/tmp

ENTRYPOINT ["openconnect-sso"]

Build and create the container:

docker build -f Dockerfile.openconnect-sso -t openconnect-sso .
doas docker create -it \
  --name openconnect-sso \
  --privileged \
  --net=host \
  -v /etc/ssl/certs:/etc/ssl/certs:ro \
  -e WAYLAND_DISPLAY=$WAYLAND_DISPLAY \
  -e XDG_RUNTIME_DIR=/tmp \
  -e QT_QPA_PLATFORM=wayland \
  -v $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/tmp/$WAYLAND_DISPLAY:rw \
  --device /dev/net/tun \
  openconnect-sso:latest \
  --server your-vpn-gateway \
  --user your-username

DNS configuration

When the VPN connects, a tun0 interface is created but the system DNS is not automatically updated. To resolve internal hostnames, save your VPN network's DNS settings to ~/.local/resolv.conf. This file will be copied to /etc/resolv.conf once the tunnel is up.

Connecting

Save the following script (e.g. ~/.local/bin/vpn-connect.sh) and make it executable:

#!/bin/sh
# Wait for tun interface, then set DNS
(
  while ! ip addr show tun0 2>/dev/null | grep -q inet; do
    sleep 1
  done
  doas cp ~/.local/resolv.conf /etc/
) &
# Start VPN in foreground
doas docker start -ai openconnect-sso

chmod +x ~/.local/bin/vpn-connect.sh

Run it:

~/.local/bin/vpn-connect.sh

A browser window will open for SSO authentication. After completing login, the VPN tunnel will establish and DNS will be updated automatically.

How it works

The script starts a background subshell that polls for the tun0 interface. Once the interface has an IP address assigned (meaning the tunnel is up), it copies the VPN-specific resolv.conf into place. Meanwhile, the Docker container runs in the foreground so its output and the SSO browser window remain accessible.

Disconnecting

Close the foreground process with Ctrl or stop the container:

doas docker stop openconnect-sso

You may also want to restore your original /etc/resolv.conf afterwards if it is not managed by another service.

Why use Docker?

System updates broke the bare metal openconnect-sso install. Docker keeps things static. Another way would be pyenv - please add steps below if you succeed with it.

See also

• Docker image example on hub.docker.com - Uses an Alpine Linux-based container using OpenConnect and OpenSSH Docker. Also enables automatic server certificate handling, which simplifies configuration.
• An openconnect-sso Docker implementation for X11 - Includes host networking.
• openconnect-sso GitHub repository - Installation, authentication logic, usage (without Docker), authentication logic and for updates upstream.